Chubb Bulleid Law Firm Hit by Cactus Ransomware, Data Exposed

Incident Date:

July 30, 2024

World map

Overview

Title

Chubb Bulleid Law Firm Hit by Cactus Ransomware, Data Exposed

Victim

Chubb Bulleid

Attacker

Cactus

Location

Wells, United Kingdom

, United Kingdom

First Reported

July 30, 2024

Chubb Bulleid Law Firm Targeted by Cactus Ransomware Group

Chubb Bulleid, a prominent law firm based in Somerset, UK, has recently fallen victim to a ransomware attack orchestrated by the Cactus ransomware group. The attack, disclosed on July 31, 2024, has led to the exposure of a significant amount of sensitive and confidential information.

About Chubb Bulleid

Chubb Bulleid is a well-established law firm with offices in Wells, Street, and Somerton. Formed in March 1997 through a merger of Chubb Beresford and Bulleid Leeks & Co., the firm has expanded over the years, incorporating Alan R Walton & Company in 2004 and T.G. Pollard & Co. in 2015. The firm operates as a private limited company under the name Chubb Bulleid Limited, with the company number 05386876.

Chubb Bulleid provides a range of legal services to individuals, families, and businesses, both locally and internationally. The firm emphasizes community engagement and personalized service, maintaining strong ties with the local community. Their commitment to high-quality service has fostered a reputation for reliability and professionalism.

Details of the Ransomware Attack

The ransomware attack on Chubb Bulleid has resulted in the exposure of various sensitive documents, including litigation files, corporate data, non-disclosure agreements, contracts, employee records, financial documents, and internal correspondence. Screenshots of the leaked information have surfaced, although the download links have been redacted by the attackers. The firm has yet to publicly address the full extent of the damage or the specifics of the attack, and it is presumed that an investigation is underway.

About the Cactus Ransomware Group

The Cactus ransomware group, first discovered in March 2023, operates as a ransomware-as-a-service (RaaS). The group is known for exploiting vulnerabilities and leveraging malvertising lures for targeted attacks. Cactus ransomware affiliates use custom scripts to disable security tools and distribute the ransomware, targeting organizations across various industries.

Cactus ransomware employs unique encryption techniques to avoid detection, using a batch script to obtain the encryptor binary using 7-Zip and then deploying the encryptor binary with an execution flag. The group appends the file extension “.cts1” to the end of encrypted files. Their attacks often involve creating multiple accounts and adding them to the administrator's group to evade detection and escalate privileges.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.